[dnsdist] dnsdist using loopback address as source address for queries

Adam Bishop Adam.Bishop at jisc.ac.uk
Mon Sep 13 12:47:39 UTC 2021 

On 13 Sep 2021, at 13:31, Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote:
> That's very weird, I don't have any clue to what might be happening. Would you mind sharing the whole configuration? In particular, do you set the source interface? I would also be very interested in seeing a strace of the process while the issue is happening.

Sure, I can attach strace the next time I catch it in the act. It's occurring infrequently, but reliably so might take me a few days. Source interface is not explicitly set, as the host is single homed.

Whole config follows.

Adam

-- Config Start

--
-- UI
--

-- Enable the CLI
setKey("<snip>")
controlSocket("127.0.0.1:5199")
controlSocket("[::1]:5199")

-- Enable stats monitoring and graphing via HTTP
webserver("127.0.0.1:8080")
webserver("[::1]:8080")
setWebserverConfig(
   {
       customHeaders = {["X-Served-By"] = "<snip>"},
       apiKey = "<snip>",
       password = "<snip>"
   }
)

--
-- Services
--

-- Listen on port 53 for IPv4 and IPv6 with TCP and UDP
addLocal("0.0.0.0:53", {reusePort = true, tcpFastOpenSize = 0})
addLocal("[::]:53", {reusePort = true, tcpFastOpenSize = 0})

setACL({'0.0.0.0/0', '::/0'})

setECSSourcePrefixV4(32)
setECSSourcePrefixV6(128)

authdomains = newSuffixMatchNode()
authdomains:add(newDNSName("lbdn.domain."))
authdomains:add(newDNSName("pool.domain."))
authdomains:add(newDNSName("lan.domain."))

--
-- Backends
--

setVerboseHealthChecks(true)

newServer(
   {
       address = "<snip>60::195",
       order = 3,
       useClientSubnet = true,
       checkType = "SOA",
       checkName = "lbdn.domain",
       mustResolve = true,
       checkInterval = 120
   }
)

newServer(
   {
       address = "<snip>.195",
       order = 4,
       useClientSubnet = true,
       checkType = "SOA",
       checkName = "lbdn.domain",
       mustResolve = true,
       checkInterval = 120
   }
)

newServer(
   {
       address = "<snip>70::67",
       order = 1,
       useClientSubnet = true,
       checkType = "SOA",
       checkName = "lbdn.domain",
       mustResolve = true,
       checkInterval = 120
   }
)

newServer(
   {
       address = "<snip>.67",
       order = 2,
       useClientSubnet = true,
       checkType = "SOA",
       checkName = "lbdn.domain",
       mustResolve = true,
       checkInterval = 120
   }
)

setServerPolicy(firstAvailable)
getPool(""):setECS(true)

--
-- Caching
--

-- Attach a cache to the default pool to store records up to 1 week
getPool(""):setCache(
   newPacketCache(
       1000000,
       {
           maxTTL = 604800,
           minTTL = 0,
           temporaryFailureTTL = 30,
           staleTTL = 30,
           dontAge = true,
           keepStaleData = true,
           parseECS = true,
           cookieHashing = true
       }
   )
)

-- rfc8767 recommends a stale lifetime of 1 to 3 days
setStaleCacheEntriesTTL(259200)

--
-- DNS Rules
--

-- Special: Log the packet to syslog
addAction(AllRule(), LogAction("", false, false, false, false))

-- Special: Strip the rd bit from all traffic
addAction(RDRule(), SetNoRecurseAction())

-- Special: Reply to ANY queries with NOTIMP
addAction(QTypeRule(DNSQType.ANY), ERCodeAction(DNSRCode.NOTIMP, {ra = false}))

-- Filter: Allow only 'good' queries to specified domains
addAction(
   AndRule(
       {
           -- Allow only queries to specified domains
           SuffixMatchNodeRule(authdomains),
           -- Allow only regular queries
           NotRule(
               OrRule(
                   {
                       QTypeRule(DNSQType.AXFR),
                       QTypeRule(DNSQType.IXFR)
                   }
               )
           ),
           -- Allow only regular opcodes
           NotRule(
               OrRule(
                   {
                       OpcodeRule(DNSOpcode.Notify),
                       OpcodeRule(DNSOpcode.Update),
                       OpcodeRule(DNSOpcode.IQuery),
                       OpcodeRule(DNSOpcode.Status)
                   }
               )
           ),
           -- Allow only 'IN',
           QClassRule(1)
       }
   ),
   AllowAction()
)

-- Default deny: refuse everthing else
addAction(AllRule(), RCodeAction(DNSRCode.REFUSED, {ra = false}))

-- Config End

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.


Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.


Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company limited by shares which is registered in England under company number 09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.


For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice

More information about the dnsdist mailing list